In the second part of Langill’s whitepaper, entitled “Analyzing the Malware,” there is a detailed analysis of the campaign’s attack vectors, the malware itself, the Trojanized software content it created, and its command-and-control (C2) infrastructure.

Over the past few years, industrial infrastructure has been a key target for hackers and government-sponsored warfare, attracting some of the most sophisticated cyber attacks on record, including Stuxnet, Flame and Duqu. Dragonfly is significant because it is the first one of the advanced attacks since Stuxnet to have payloads that target specific ICS components.

The objective of this report was to understand the Dragonfly campaign in order to provide the best possible advice to users for defending against advanced malware threats.

Langill’s review of Dragonfly focused on executing the malicious code on systems that reflect real world ICS configurations and observing the malware’s impact.

Three main factors led him to believe the target is the intellectual property of pharmaceutical organizations:
• Out of thousands of possible ICS suppliers, the three companies targeted for Trojanized software were not primary suppliers to “energy” facilities. Instead, all three offered products and services most commonly used by the pharmaceutical industry.
• The Dragonfly attack is very similar in nature to another campaign called Epic Turla and likely managed by the same team. Epic Turla has targeted the intellectual property of pharmaceutical companies.
• The Dragonfly malware contained an Industrial Protocol Scanner module that searched for devices on TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric). These protocols and products have a higher installed base in packaging and manufacturing applications typically found in consumer packaged goods industries, such as pharmaceutical rather than the energy industry.

Dragonfly is a technically accomplished and strategically executed campaign that signals a new era of threat: Offense in Depth.

The Dragonfly campaign consisted of a diversified arsenal of attack vectors.

In addition, the Dragonfly offensive included numerous C2 websites used to deliver updated software modules to infected computers.

These payload modules carried out activities, such as:
• Collecting basic information on the infected system and its configuration
• Collecting ICS-related configuration files and VPN configuration files (including passwords)
• Itemizing all Windows hosts on local area networks
• Querying Windows hosts and PLCs for OPC-related services
• Attempting to create new OPC instances
• Listening for communications on TCP service ports commonly associated with industrial protocols

As mentioned, Dragonfly used an ingenious assortment of pathways to the control system, Langill said. The Trojanized software download attacks showed how trusted supply chain vendors can end up used to deliver malicious payloads directly to difficult to reach endpoints, such as ICS equipment.

The Trojanized supplier software ended up installed by users with non-administrative accounts even though the legitimate software was blocked. Thus, even computers “hardened” with secure local policies can suffer infection.

Another aspect of Dragonfly was its payloads gained permanent installation on engineering laptops and then recorded reconnaissance results from isolated ICS systems for later transmission to the C2 servers when the laptop changed locations. Mobile devices allowed to move from isolated ICS networks to less secure office networks, can relay information about the secure system to the attackers via the Internet.

“The combination of Dragonfly’s Offense in Depth strategy and the fact that it circumvented traditional desktop security controls highlights the urgent need for matching Defense in Depth security on the plant floor,” said Eric Byres, CTO of Tofino Security, a Belden Brand. “Not only do we need to defend the ICS devices, but industry also needs to consider better defenses for the ICS network.

“For example, monitoring unauthorized HTTP traffic coming out of an ICS system would have been a very effective defense against this malware. Most ICS systems should not be communicating to Web servers on the Internet, especially ones with URLs like ‘sinfulcelebs.freesexycomics.com.’

“The fact that the Dragonfly campaign ran for almost a year without detection shows that the monitoring and control of ICS traffic (especially outbound traffic) is still unacceptably poor in many industries.”